Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`CurvePool::withdraw` is using wrong parameters

ChainDefenders

Summary

The _withdrawFromVault function in the LiquidityPool contract has an incorrect parameter ordering when calling the curveVault.withdraw function. Specifically, the owner parameter is incorrectly passed as the receiver, and the receiver parameter is incorrectly passed as the owner.

Vulnerability Details

The withdraw function in the LiquidityPool contract is designed to withdraw assets from the Curve Vault and transfer them to the specified receiver. However, the parameters passed to the curveVault.withdraw function are incorrect:

curveVault.withdraw(amount, address(this), msg.sender, 0, new address[](0));

Expected Behavior:
- assets: The amount of assets to withdraw.
- receiver: The address to receive the withdrawn assets.
- owner: The address whose shares are being burned.
- max_loss: The maximum acceptable loss in basis points.
- strategies: An optional array of strategies to withdraw from.
Actual Behavior:
- The receiver is incorrectly set to address(this) (the contract itself).
- The owner is incorrectly set to msg.sender (the caller).

This misalignment means that:

The withdrawn assets will be sent to the contract itself (address(this)) instead of the intended receiver (msg.sender) or more likely will not work at all.

Impact

This issue results in funds being withdrawn incorrectly or the transaction failing entirely, leading to the following risks:

User Withdrawals May Fail – Since the owner is set to the contract itself (msg.sender) instead of the user (address(this)), users may not receive their funds upon withdrawal.
Locked Funds in the Contract – If the withdrawal succeeds but assets remain in the contract, users might need a separate transaction to claim their funds, adding unnecessary complexity and potential security risks.

Tools Used

Manual review

Recommendations

Refactor the code in the following way:

+ curveVault.withdraw(amount, msg.sender, address(this), 0, new address[](0));

- curveVault.withdraw(amount, address(this), msg.sender, 0, new address[](0));

Also the problem here is that we need to have two function for withdraw, one that we are going to use to withdraw during ensureLiquidity with receiver msg.sender and another one with receiver reserveRTokenAddress during rebalance.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

LendingPool::_withdrawFromVault incorrectly uses msg.sender instead of address(this) as the owner parameter, causing vault withdrawals to fail

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.